PacSec 2017 講演者名と発表内容

The diverse Android app stores are full of applications, written in multiple languages and frameworks. When it comes to optimize for performance and cutting-edge features the ultimate choice is using specialized components written in C/C++. But with increased power comes increased responsibility, as native components have the tendency to rot over time and turn an installed application into a security nightmare. OWASP has placed this scenario on their Top 10 list as "Using components with known vulnerabilities".

In our research we switched from policy to practice, and examined a sample of prominent apps with large downloads counts. Unfortunately even in 2017 major vendors ship their colorful applications with well-known security problems, some having weekly updates on the functionality side, but leaving the ugly backyard of outdated native libraries (even with CVSS- 10 vulnerabilities) untouched. The presentation will cover this and other Android deployment antipatterns that leave the user in danger of exploitation, enriched with mitigation recommendations and real-life examples.

After the presentation a tool will be released that will allow the end-user to conduct similar investigations on his own Android devices.

In recent research, we discovered multiple critical vulnerabilities in home, business and industrial collaborative robots from well-known vendors. With responsible disclosure now completed, it’s time to reveal all the technical details, threats, and how attackers can compromise different robot ecosystem components with practical exploits. Live demos will showcase different exploitation scenarios that involve cyber espionage, harmful insider threats, property damage, and more.

Through realistic scenarios we will unveil how insecure modern robot technology can be and why hacked robots could be more dangerous than other insecure technologies. The goal is to make robots more secure and prevent vulnerabilities from being exploited by attackers to cause serious harm to businesses, consumers, and their surroundings.

Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for wearables which are low energy, low performance computing systems. The BLE standard specification provides for a variety of security mechanisms for channel encryption to protect data against snooping and man-in- the-middle style attacks.

In our presentation, we talk about the security assumptions made by popular mobile operating systems when they adopt the BLE specification and how this impacts their communication with wearable devices. We include vulnerability case studies to discuss how rogue mobile applications can use the same set of BLE encryption keys as the legitimate companion application, and get access to personal information or cause denial of service conditions on the wearables. We will discuss the insufficiencies of the protocols and the need for extra measures if the use cases demand confidentiality and integrity of data in transit.

When an attacker intrudes into a network by APT attack, malware infection spreads to many hosts and servers. However, in many cases, it is difficult to understand in detail what attackers did to spread infection in the network. We investigated attackers’ activity in many APT cases by analyzing C&C servers, and as a result, it was revealed that attackers execute some series of Windows commands to spread infection to other hosts. Attackers’ activity can be detected by monitoring execution of Windows commands.

In order to identify lateral movement activity, we learned some patterns of Windows commands executed by attackers out of many commands and developed a system to detect them using machine learning. With this approach, it is possible to detect unknown attack patterns which are difficult to detect with the existing blacklist method. This presentation will explain some patterns of Windows commands used in lateral movement that are identified through our research. We will also show a demonstration of a system for detecting the Windows commands executed by attackers.

Everyone is perfectly familiar with logical and black-box attacks on ATMs. But hardly any countermeasures have been taken so far: banks are sure that their devices are perfectly protected, until hackers prove them wrong. The most frequent reason why this happens is developers, engineers, and security staff' lack of expertise: they have a vague idea on attacks sources and vectors and what they should monitor and improve.
In this presentation, we'll discuss in detail how exactly hackers break into ATMs and bypass security measures to make machines spit out all the money.

White-box cryptography aims to protect cryptographic primitives and keys in software implementations even when the adversary has full control to the execution environment and access to the implementation of the cryptographic algorithm. It combines mathematical transformation with obfuscation techniques so it’s not just obfuscation on a data and code level but actually algorithmic obfuscation. In the white box implementation, cryptographic keys are mathematically transformed in such a way that all calculations with the keys can be performed without ever decrypting them. Although all current academic white box implementations have been practically broken by various attacks including table- decomposition, power analysis attack, and fault injection attacks, There are no published reports of successful attacks against commercial white-box implementations to date. When I have assessed commercial white box implementations to check if they were vulnerable to previous attacks, I found out that previous attacks failed to retrieve a secret key protected with the commercial white-box implementation. Consequently, I modified side channel attacks available in academic literature and succeeded in retrieving a secret key protected with the commercial white-box cryptography implementation.

In this talk, we will see how a seemingly simple filesystem trick,
manipulation of indirect block pointers, can be used in two (and
possible more) attacks.

The first attack is for a backdoor that allows persistence on a
machine without resorting to modifying binaries or configuration files
on the system. A live demo will be shown.

The second attack is in the context of our recent WOOT'17 paper,
entitled "From random block corruption to privilege escalation", where
we show a filesystem-level attack vector for rowhammer-like attacks on
Flash. A recorded demo will be shown.

In this talk, we are going to disclose two unconventional Use-after-free kernel bugs we found last year, and introduce the new techniques we used to make these exploits 100% reliable.

The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year.So far more than 14 million users of KingRoot have successfully rooted their smartphones with this exploit. With this vulnerability,
an attacker only can overwrite the freed object at a fixed offset with
a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.

The second bug is CVE-2016-6787, which we used to root a large number of Android devices shipped with both 3.18 and 3.10 Linux kernel(a demonstration of rooting Samsung Galaxy S7 edge has been showed on MOSEC 2016, Shanghai). The bug is an UAF due to race condition,may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll
introduce a way to freeze the attacker's process soon after UAF happened,stop kernel from crashing,and make the exploit reliable.

In summary, this presentation gives out the new techniques of exploiting some unconventional use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.

The Advanced Local Procedure Call (ALPC) is an Inter-Process Communication method widely used in recent Windows version. One important use of the ALPC is to perform Remote Procedure Call (RPC) on the local computer. Whereas ALPC have been scrutinized by security researcher in the last few years, its use in the MSRPC have been less documented. In this paper we will explains what are the core structures and API of ALPC and then use them to explore how RPC-over-ALPC works and are used on a recent Windows computer. We will show a full-Python implementation of a simple RPC client and how this can be used to search for vulnerabilities. Finally, we will display an UACBypass and a Local Privilege Escalation that have been found during this works.

Today the production of embedded devices involves multiple suppliers at various stages of the production and support life-cycle. With very few exceptions, no electronics manufacturer actually designs and manufactures every single component of a device in their own factory. These hardware, firmware and manufacturing supply chains introduce considerable risk that threat actors could gain an opportunity to defraud, steal, counterfeit, or otherwise undermine the security of the produced electronic devices.

Out of memory (OOM) is an undesired state in a program where no additional memory can be allocated. Morden web browsers can also be affected by out of memory problems when visiting complex pages. Usually out of memory issues in web browsers are considered as non-security-related bugs by developers and even often ignored by security researchers since most of them are not seemly exploitable. When hunting for browser bugs, researchers offten pay more attentions to major bug types such as uaf, overflow, type confusion, but are less interested (or totally not interested) in out of memory bugs.

But sometimes out of memory bugs could be serious. In later 2016 we did some research in Microsoft's latest web browser, edge, focused on out of memory bugs, to see how serious this type of bugs could be in a morden browser and operating system. We got 15+ working rce exploits and a 64-bit edge ASLR bypass as the result. We used one of the out of memory bug in pwn2own 2017 contest and successfully exploited 64-bit edge on windows 10.

In this presentation, we will first introduce browser OOM vulnerabilies with some history bugs we found. We will dicuss the difference between "exploitable" and "non exploitable" OOM bugs. Then we will focus on edge brower and disclouse the details of the OOM vulnerabilites (including the pwn2own bug) we found, and how we exploited them by leveraging different internal mechanisams in chakra engine.

The trouble of OOM is not limited to memory corruption issues. We will also disclouse the detials of an interesting ASLR bypass issue, where by leveraging a special feature in the chakra engine, we can exhaust the memory space and trig out of memory in 64-bit edge browser, then use heap spray to bypass ASLR just like in 32-bit browser.